LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-08-2018, 10:28 AM   #16
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 545

Original Poster
Rep: Reputation: 146Reputation: 146

@Kjhambrick, I ran across your summer 2017 thread which has examples of how-to upgrade microcode and the patch resulting to allow an easy upgrade. Linking here for more insight and examples for those looking to update their microcode. Also thanks to phenexia2003 for the patch that allows a flag to mkinitrd which simplifies this. https://www.linuxquestions.org/quest...rs-4175608636/

It would be really great to see a docs.slackware.com article on "How to Update Intel Microcode" which captures all these ideas and suggestions but written by a senior Slackware member who really understands the different options and can describe the different paths for those using LTS kernels.

PS I read Greg K-H's Meltdown article last night and it appears that Meltdown and Spectre are only going to be addressed only on LTS kernels 4.4, 4.9, 4.14, although 4.15 is not yet LTS it is being worked on for Meltdown.

Last edited by bamunds; 01-08-2018 at 11:35 AM.
 
Old 01-08-2018, 11:33 AM   #17
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,230

Rep: Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713
Using debian archive, I created quickly initrd with simple procedure:
Code:
cd intel-microcode-3.20171215.1
mkdir tmp
# my processor is i5-4570, signature 0x306c3
iucode_tool -Ktmp tmp supplementary-ucode-CVE-2017-5715.d/s000306C3_m00000032_r00000023.fw
cd tmp
iucode_tool --write-earlyfw=intel-ucode.cpio 06-3c-03
cp intel-ucode.cpio /boot/efi/EFI/Slackware/
Then I edited elilo.conf and added the initrd line, rebooted
now microcode is updated to 0x23 version
Code:
[    0.000000] microcode: CPU0 microcode updated early to revision 0x23, date = 2017-11-20
...
...
But it seems the processor is still vulnerable to spectre, using the c programm floating around I get
Code:
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfec80... Success: 0x54='T' score=2
Reading at malicious_x = 0xffffffffffdfec81... Success: 0x68='h' score=2
Reading at malicious_x = 0xffffffffffdfec82... Success: 0x65='e' score=2
...
 
Old 01-08-2018, 12:31 PM   #18
BratPit
Member
 
Registered: Jan 2011
Posts: 236

Rep: Reputation: 84
Try this tool

https://raw.githubusercontent.com/sp...own-checker.sh

Your microcode only does Mitigation 1 from CVE-2017-5715.
The rest is open.


Quote:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: UNKNOWN (couldn't find your kernel image in /boot, if you used netboot, this is normal)
> STATUS: UNKNOWN

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: UNKNOWN (couldn't find your kernel image)
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
I do not know why not see my /boot/vmlinuz in variant 1 check ?

Last edited by BratPit; 01-08-2018 at 12:34 PM.
 
Old 01-08-2018, 01:36 PM   #19
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,230

Rep: Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713
Quote:
Originally Posted by BratPit View Post
Try this tool

https://raw.githubusercontent.com/sp...own-checker.sh

Your microcode only does Mitigation 1 from CVE-2017-5715.
The rest is open.




I do not know why not see my /boot/vmlinuz in variant 1 check ?
Thanks, after a slight modification in script, I got:
Code:
Spectre and Meltdown mitigation detection tool v0.16

Checking vulnerabilities against Linux 4.4.110 #1 SMP Fri Jan 5 22:17:16 CET 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 53 opcodes found, should be >= 70)
> STATUS:  VULNERABLE 

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
Script modification (added XXX to temp file template name)
Code:
--- spectre-meltdown-checker.sh    2018-01-08 20:18:36.836828923 +0100
+++ spectre-meltdown-checker.new.sh    2018-01-08 20:27:48.534863440 +0100
@@ -64,7 +64,7 @@
 {
     [ -n "$1" ] || return 1
     # Prepare temp files:
-    vmlinuxtmp="$(mktemp /tmp/vmlinux-XXX)"
+    vmlinuxtmp="$(mktemp /tmp/vmlinux-XXXXXX)"
 
     # Initial attempt for uncompressed images or objects:
     if check_vmlinux "$1"; then
 
Old 01-08-2018, 01:44 PM   #20
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,311

Rep: Reputation: Disabled
Why not build the microcode into kernel? Simple, works for me. Or this would not be the Slackware way? Just curious.
 
Old 01-08-2018, 01:48 PM   #21
BratPit
Member
 
Registered: Jan 2011
Posts: 236

Rep: Reputation: 84
Quote:
Originally Posted by keefaz View Post
Thanks, after a slight modification in script, I got:
Code:

Which does not change the fact that this mitigation microcode does not prevent spectre PoC

Last edited by BratPit; 01-08-2018 at 01:59 PM.
 
Old 01-08-2018, 01:57 PM   #22
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,426

Rep: Reputation: 831Reputation: 831Reputation: 831Reputation: 831Reputation: 831Reputation: 831Reputation: 831
Quote:
Originally Posted by bamunds View Post
@Kjhambrick, I ran across your summer 2017 thread which has examples of how-to upgrade microcode and the patch resulting to allow an easy upgrade. Linking here for more insight and examples for those looking to update their microcode. Also thanks to phenexia2003 for the patch that allows a flag to mkinitrd which simplifies this. https://www.linuxquestions.org/quest...rs-4175608636/

It would be really great to see a docs.slackware.com article on "How to Update Intel Microcode" which captures all these ideas and suggestions but written by a senior Slackware member who really understands the different options and can describe the different paths for those using LTS kernels.

PS I read Greg K-H's Meltdown article last night and it appears that Meltdown and Spectre are only going to be addressed only on LTS kernels 4.4, 4.9, 4.14, although 4.15 is not yet LTS it is being worked on for Meltdown.
Yikes !

Not only am I old and set in my ways, but I am old and forgetful too !

I honestly forgot all about that thread.

Thanks for bringing it up ... it was a good one

-- kjh
 
Old 01-08-2018, 01:59 PM   #23
Darth Vader
Senior Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 2,727

Rep: Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228
Quote:
Originally Posted by Emerson View Post
Why not build the microcode into kernel? Simple, works for me. Or this would not be the Slackware way? Just curious.
Because not all people use the overpriced Intellicrap?
 
Old 01-08-2018, 02:24 PM   #24
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 5,383

Rep: Reputation: 3154Reputation: 3154Reputation: 3154Reputation: 3154Reputation: 3154Reputation: 3154Reputation: 3154Reputation: 3154Reputation: 3154Reputation: 3154Reputation: 3154
Quote:
Originally Posted by bamunds View Post
although 4.15 is not yet LTS it is being worked on for Meltdown.
4.15 won't be an LTS kernel. It will become the latest stable, but that will be supplanted by 4.16 and then 4.17 and on. Non-LTS kernels are usually only supported for around 3 months before they EOL them and expect users to move to the next stable kernel.

LTS kernels are specifically selected to have a longer than normal life of updates -- now up to six years of updates, but only 4.4 and 4.14 will have that 6 years. 4.9 was stuck with the old LTS policy of updates for 2 years. We don't know what kernels will be LTS kernels until it is announced by a kernel developer, usually Greg Kroah-Hartman.

I'm actually kinda surprised that 4.1 isn't getting the updates (or maybe it is and I'm just not aware of it), because it won't be EOL until May 2018. Other than that, 4.4, 4.9, 4.14, and 4.15 are the only maintained kernels by kernel developers. All other kernels versions have been EOLed and probably won't see official updates for these vulnerabilities.
 
Old 01-08-2018, 02:33 PM   #25
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,426

Rep: Reputation: 831Reputation: 831Reputation: 831Reputation: 831Reputation: 831Reputation: 831Reputation: 831
Quote:
Originally Posted by bassmadrigal View Post

<<snip>> ...

I'm actually kinda surprised that 4.1 isn't getting the updates (or maybe it is and I'm just not aware of it), because it won't be EOL until May 2018. Other than that, 4.4, 4.9, 4.14, and 4.15 are the only maintained kernels by kernel developers. All other kernels versions have been EOLed and probably won't see official updates for these vulnerabilities.
bassmadrigal --

The 4.1 Kernel is maintained by Sasha Levin and maybe there is more foundation code to back-port into 4.1 than 4.4, etc ???

Just guessing ...

-- kjh

From the 4.1.48 ChangeLog:

Code:
commit 0199619b21f7320482e8a2db14cf8bc974a7766a
Author: Sasha Levin <alexander.levin@verizon.com>
Date:   Tue Dec 12 10:21:44 2017 -0500

    Linux 4.1.48
    
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
 
1 members found this post helpful.
Old 01-08-2018, 02:37 PM   #26
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,311

Rep: Reputation: Disabled
Quote:
Originally Posted by Darth Vader View Post
Because not all people use the overpriced Intellicrap?
So you build only AMD microcode into kernel?
 
Old 01-08-2018, 02:51 PM   #27
Darth Vader
Senior Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 2,727

Rep: Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228Reputation: 1228
Quote:
Originally Posted by Emerson View Post
So you build only AMD microcode into kernel?
Neither. The AMD microcodes could be loaded well from a running system.
 
Old 01-08-2018, 03:02 PM   #28
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 702

Rep: Reputation: 389Reputation: 389Reputation: 389Reputation: 389
Wouldn't it be neat to have all this knowledge packed in AlienBoB's Live Slackware image? Obviously, approved from "above". It'll help a lot of people and will definitely make Slackware more popular. Just a tough.
 
Old 01-08-2018, 03:33 PM   #29
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 545

Original Poster
Rep: Reputation: 146Reputation: 146
@keefaz I've tried to use that script and the first test is always failing as "couldn't find your kernel image in /boot,.."
My kernel responds to uname -r as '4.4.106-ba'. I saw where you suggested modifying line 113 of the script, but I've tried that and actually gone to a full 10 X's and it still doesn't recognize the kernel. The /boot/vmlinuz is a symlink to vmlinuz-custom-4.4.106 image on my machine. Any suggestions? Thanks
 
Old 01-08-2018, 03:36 PM   #30
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 545

Original Poster
Rep: Reputation: 146Reputation: 146
Quote:
Originally Posted by abga View Post
Wouldn't it be neat to have all this knowledge packed in AlienBoB's Live Slackware image? Obviously, approved from "above". It'll help a lot of people and will definitely make Slackware more popular. Just a tough.
Actually it would be great to have this on the docs.slackware.com page as "How to upgrade Intel microcode". Then future questions on LQ could be referenced to that article. I know @AlienBob also has a blog and he too has some nice write-ups but I believe this subject to be outside just the LiveSlak interest group.

Since the intent of this article was to guide me on how to properly upgrade Intel microcode, please move issues of latest kernel to that thread and issues of how to address Meltdown or Spectre to the Slackware security thread. Sorry about hi-jacking my own thread with the earlyier "PS about LTS support for Meltdown and Spectre" ouch. Maybe the test script suggestion could also be moved there please!

Last edited by bamunds; 01-08-2018 at 03:39 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Is it possible to update intel microcode using kernel-huge and grub2, without initrd? lagavulin16 Slackware 5 01-03-2018 09:27 AM
intel-microcode-20170707 kjhambrick Slackware 1 07-15-2017 08:04 AM
Lenovo Thinkpad x220 - Proprietary Driver for Microcode for Intel processor? wh33t Linux - Hardware 2 06-15-2016 11:41 AM
intel-microcode error Soapm Linux - Newbie 3 06-25-2015 01:37 AM
Intel IA32 CPU microcode...What is it Jester888 Linux - General 1 02-08-2007 11:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration